Data sovereignty is a big concern for many companies in SA, says NetApp SA country manager Morne Bekker.

"A lot of companies are concerned over where their data is. If you go to a hyperscaler, you don't know whether the data is in-country or in Europe or the US, and obviously wherever it resides it is governed by those laws, which could be a concern if you are a financial institution, for example," he told ITWeb during an interview at a NetApp event in Johannesburg.

Nasdaq-listed NetApp is a global data management and cloud storage solutions provider. Bekker was appointed as South African country manager and district manager for the SADC region in June.

He says alongside the sudden proliferation of cloud services, many countries have embarked on the process of implementing new compliance and regulatory measures around data sovereignty, data ownership and data security.

"This has caused a lot of confusion among business owners, who have been given a limited amount of time to comply with a barrage of new rules and regulations," he says.

In SA, this comes in the form of the Protection of Personal Information Act (POPIA), which should come into effect in 2018. The regulation will dictate how companies collect, share and store their customers' personal data. But if the data resides outside of SA, organisations will also need to comply with the regulations of the region they reside in.

"Traditionally within South Africa, enterprise data has been stored on cloud servers beyond our geopolitical borders and hence outside of our legal jurisdiction. Although there has been a shift towards the rise of regional data centres, the majority of local South African data still resides on continents such as Europe," Bekker adds.

"By 2018, data will be governed according to the principles of the General Data Protection Regulation (GDPR), which will reshape organisational approaches towards data privacy. Basically, the GDPR applies to any company, anywhere in the world that processes European Union citizens' data."

He says that according to the GDPR, organisations will need to minimise the amount of personal data collected; understand and manage personal data accordingly; and notify the regulators of a data breach within 72 hours.

"If you control your data then you always know where it is, so you can have it with you, and the sovereignty issue goes away. That's really what we do with our cloud strategy: give customers back the control over where there data is."

In terms of POPIA, Bekker believes South African companies are preparing for the regulation to kick in.

"I think people are more conscious today around data and the management of their data and what is actually stored. Obviously, with all of the security breaches, that becomes a bigger issue as well. What happens if we get attacked and exposed? If you look at the Target attack in the US, everybody knows the case study around that. They didn't even know they got attacked until later on, but the reputational damage was enormous. So you need to be prudent."

Bekker says in order for South African companies to manage new regulatory measures, they need to build a strong data privacy compliance network. He says companies like NetApp provide secure platforms where customers can interact with their data, "but it is still going to be up to individual customers to put the processes in place of what data they are actually retaining and unfortunately as a vendor we can't control all of that".

"We can provide the management tools and functionality, etc, but it's going to essentially be customers' process that drives what data they retain," he concludes.